• January 8, 2025

India’s Draft Digital Personal Data Protection Rules: Key Highlights

India’s Draft Digital Personal Data Protection Rules: Key Highlights

The draft Digital Personal Data Protection Rules, 2025, provide clarity and certainty for organisations working to comply with the DPDPA.

The much-anticipated draft rules under the Digital Personal Data Protection Act, 2023 (DPDPA) have been published for public consultation. Nearly 16 months after the DPDPA’s passage in August 2023, these rules mark a key step in India’s journey towards a robust framework for safeguarding personal data in an increasingly digital economy. Titled The Digital Personal Data Protection Rules, 2025 (Rules), the draft provides clarity for data fiduciaries and other stakeholders on compliance with the provisions of the DPDPA.

A significant step in data protection

The Rules address a range of issues, including consent, privacy notices, processing of children’s data, consent managers, data breaches, security safeguards, and breach notifications. They have been drafted in a straightforward manner, with examples, to aid understanding. The Government aims to balance individual privacy protection with the promotion of business innovation, ensuring that India’s digital infrastructure advances while respecting privacy rights.

The Rules clarify that data fiduciaries must provide clear, independent, and easily understandable privacy notices separate from other information shared with individuals. These notices should detail the information needed for data principals to make informed consent decisions about their personal data processing. Additionally, the notices must include a link to the data fiduciary’s website or app and specify methods to enable individuals to exercise their rights of access, erasure, and withdrawal of consent. While the Government has set out basic principles for privacy notices, it refrains from providing a template, offering businesses flexibility in designing consent management frameworks.

Regarding consent managers, the Rules establish criteria for their registration with the Data Protection Board (Board) and outline obligations for consent managers. A consent manager will serve as a platform enabling individuals to give, manage, review, and withdraw consent for data processing by data fiduciaries onboarded on the platform. Although the concept is innovative, concerns about the implementation and interoperability of consent manager platforms remain unresolved, such as the monetisation model and how these platforms will work with data fiduciaries.

State’s role in personal data processing

The Rules also provide standards for the processing of personal data by the State and its instrumentalities when providing subsidies, benefits, services, certificates, licenses, or permits. Such processing is classified under legitimate uses, allowing the State to process personal data for these purposes without individuals’ consent. The standards ensure that the State’s data processing is lawful, non-arbitrary, and in line with DPDPA compliance. They also mandate that the State limit data collection to necessary purposes, ensure data accuracy, and implement adequate security safeguards.

The Rules prescribe minimum security safeguards for data fiduciaries, including encryption, access controls, monitoring for unauthorised access, and maintaining data backups. Data fiduciaries must also incorporate mechanisms for breach detection, response protocols, and maintain activity logs. Contracts with data processors must mandate compliance with these security requirements. The safeguards must align with technical and organisational standards to prevent data breaches effectively.

Data breach notifications

To minimise the impact of data breaches, the Rules require data fiduciaries to promptly notify both affected individuals and the Board. The notification must outline the nature, scope, and timing of the breach, its potential impact on individuals, and the steps taken to mitigate risks. The data fiduciary must report the breach to the Board within 72 hours, or a longer duration if allowed, providing a detailed report on the breach, including the causes, remedial measures, and communications with data principals. Notably, the Rules do not set a harm-based threshold for notifying breaches, meaning that all breaches, regardless of risk, must be reported. This may pose compliance challenges and potentially overwhelm the Board with notifications that do not present a significant risk to individuals.

Under the DPDPA, data fiduciaries must erase personal data if an individual withdraws consent or if it is reasonable to assume the data’s purpose is no longer being served. The Rules set retention timelines for different categories of data fiduciaries. For example, e-commerce platforms, online gaming intermediaries, and social media entities are allowed to retain personal data for up to three years from the last user interaction. Before data is erased, data fiduciaries must notify individuals at least 48 hours in advance, giving them an opportunity to retain their data by engaging with the platform.

To help individuals exercise their rights, the Rules require data fiduciaries to prominently display the contact details of a designated person on their website or app, making it easier for individuals to address queries related to personal data processing. Data fiduciaries must also publish information about how individuals can exercise their rights, such as access, erasure, and withdrawal of consent. However, no timelines have been provided for data fiduciaries to comply with these requests, leaving ambiguity in the process.

For processing personal data of children, the Rules require data fiduciaries to implement appropriate technical and organisational measures to obtain verifiable parental consent before processing a child’s personal data. Data fiduciaries must also conduct due diligence to verify the identity of the parent or guardian.

Enhanced obligations for significant data fiduciaries

The Rules impose stricter obligations on significant data fiduciaries to ensure robust data protection practices. These entities must perform a Data Protection Impact Assessment (DPIA) and an annual audit, submitting the findings to the Board. Furthermore, significant data fiduciaries must ensure that any algorithmic software used for data processing does not pose a risk to the rights of individuals.

The draft Digital Personal Data Protection Rules, 2025, provide clarity and certainty for organisations working to comply with the DPDPA. The Government has endeavoured to balance privacy rights and the need for business innovation by adopting a flexible approach with basic principles and standards. It is crucial for organisations to begin their compliance journey with the personal data protection legislation without delay.

Akshayy S Nanda is Partner, Saraf and Partners. 

Views are personal, and do not represent the stand of this publication.

Leave a Reply

Your email address will not be published. Required fields are marked *